Request has been Denied. Flow does not apply to current user. What am I missing!? #8127
Comments
|
I just had the same issue, the workaround was use Chrome instead of Firefox, and use the HTTPS port instead of HTTP. IE https://172.16.117.253:9443/if/flow/initial-setup/ Which one of those changes sorted it I can't say, but it works now. |
|
Struggling with a very similar thing atm... 
This is the same no matter the browser, incognito or otherwise. I installed using the v2023.10.6 helm chart on Kubernetes, with only an http port (80) exposed on the container. Ingress acts as HTTPS termination. |
|
had a similar issue while still had an additional basic auth middleware applied. after removal it worked. |
|
its strange, launching through authentik home works fine, but opening from an incognito window doesn't. |
|
Same applies me too, I just installed it to try it out but giving me the same error. Cannot setup. |
|
Looks like something is messing up the ui, checked the network and nothing is wrong but the ui doesn't seem to respond how it should, probably because of the extensions I installed.
Tried in mozilla and it works. |
|
Same issue here. Fresh installation using last version 2024.2.2 and accessing Authentik redirecting me to the login default page
|
|
Same issue here. Error on 2023.10.7 and updating to lastest version 2024.2.2 change nothing. The error happens on every application using oauth or oidc. (like komga,Statping or argocd). The logging work if my users are already login in authentik, but cannot login otherwise.
|
|
I'm also in the same boat here: Fresh setup, the initial setup can't even kick off. Any update/idea yet why?
|
|
With the latest Authentik, Docker and Docker Compose version the " Visual image of this is below:
My # Installation: https://hub.docker.com/r/beryju/authentik
version: '3.9'
services:
server:
image: beryju/authentik:2024.2
container_name: authentik
restart: unless-stopped
command: server
user: "root"
environment:
- AUTHENTIK_REDIS__HOST=${AUTHENTIK_REDIS__HOST}
- AUTHENTIK_POSTGRESQL__HOST=${AUTHENTIK_POSTGRESQL__HOST}
- AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER}
- AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME}
- AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD}
- AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
volumes:
- /opt/appdata/authentik/media:/media
- /opt/appdata/authentik/custom-templates:/templates
- /var/run/docker.sock:/var/run/docker.sock
ports:
- 9815:9000
- 9816:9443
depends_on:
- postgresql-authentik
- redis-authentik
networks:
- proxy
worker:
image: beryju/authentik:2024.2
container_name: authentik_worker
restart: unless-stopped
command: worker
user: "root"
environment:
- AUTHENTIK_REDIS__HOST=${AUTHENTIK_REDIS__HOST}
- AUTHENTIK_POSTGRESQL__HOST=${AUTHENTIK_POSTGRESQL__HOST}
- AUTHENTIK_POSTGRESQL__USER=${AUTHENTIK_POSTGRESQL__USER}
- AUTHENTIK_POSTGRESQL__NAME=${AUTHENTIK_POSTGRESQL__NAME}
- AUTHENTIK_POSTGRESQL__PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD}
- AUTHENTIK_ERROR_REPORTING__ENABLED=${AUTHENTIK_ERROR_REPORTING__ENABLED}
- AUTHENTIK_SECRET_KEY=${AUTHENTIK_SECRET_KEY}
# `user: root` and the docker socket volume are optional.
# See more for the docker socket integration here:
# https://goauthentik.io/docs/outposts/integrations/docker
# Removing `user: root` also prevents the worker from fixing the permissions
# on the mounted folders, so when removing this make sure the folders have the correct UID/GID
# (1000:1000 by default)
volumes:
- /opt/appdata/authentik/media:/media
- /opt/appdata/authentik/certs:/certs
- /var/run/docker.sock:/var/run/docker.sock
- /opt/appdata/authentik/custom-templates:/templates
depends_on:
- postgresql-authentik
- redis-authentik
networks:
- proxy
postgresql-authentik:
image: postgres:16-alpine3.19
container_name: postgresql-authentik
restart: unless-stopped
healthcheck:
test:
[
'CMD-SHELL',
'pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}'
]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
environment:
- PUID='1000'
- PGID='1000'
- POSTGRES_USER=${AUTHENTIK_POSTGRESQL__USER}
- POSTGRES_DB=${AUTHENTIK_POSTGRESQL__NAME}
- POSTGRES_PASSWORD=${AUTHENTIK_POSTGRESQL__PASSWORD:?database password required}
volumes:
- authentik-postgresql-volume:/var/lib/postgresql/data
ports:
- 5432:8080
networks:
- proxy
redis-authentik:
image: redis:alpine3.19
container_name: redis-authentik
restart: unless-stopped
healthcheck:
test: [ 'CMD-SHELL', 'redis-cli ping | grep PONG' ]
start_period: 20s
interval: 30s
retries: 5
timeout: 3s
environment:
- PUID='1000'
- PGID='1000'
volumes:
- authentik-redis-volume:/data
ports:
- 6379:6379
networks:
- proxy
volumes:
authentik-postgresql-volume: {}
authentik-redis-volume: {}
networks:
proxy:
driver: bridge
external: trueAt least this has resolved the issue for myself. I hope this helps everyone else, have a great day! |
this is not the same issue we are reporting. It's happening since the last 2 or 3 released afaik. |
|
@codeagencybe Ah, understood. That is a strange issue. |
|
I was also in the same boat yesterday. I found a temporary workaround, so it is possible to log in as admin without completing the initial-setup step due to this bug(?). The solution below is sourced verbatim from their Troubleshooting: Login page. To create the key, run the following command:
For Kubernetes, run
or, for CLI, run
This will output a link, that can be used to instantly gain access to authentik as the user specified above. The link is valid for amount of years specified above, in this case, 10 years. When you are inside click the following: Admin Interface (navbar) > Directory (sidebar) > Users (option in dropdown) > akadmin (link) > User Info (left-side section) > Set Password (button) When your password is set, you should be able to log in as akadmin. |
|
I managed to get my issue solved by changing the LISTEN HTTP flags as following: AUTHENTIK_LISTEN__HTTP=authentik-server:8000
AUTHENTIK_LISTEN__HTTPS=authentik-server:8443
I think the problem was coming from a port conflict with Portainer who occupies ports 8000, 9000 and 9443 by default. After I set these 2 extra params, matching the same ports on COMPOSE_PORT, the problem was solved. Also, updating to image version 2024.4.0 fixed some other issues. |
|
At the end of the day, I ended up getting around this by using the AUTHENTIK_BOOTSTRAP_ variables to register a user during image creation. That worked, but I ran into so many other issues with getting authentication actually working that I just gave up and left it alone for a while. Trying again with all of this this weekend... |
|
fresh install of authentik and can confirm this is still an issue where a fresh install doesn't let you setup a user and then permanently locks you out unless you drop the entire DB or volume the db is on to try again and repeat this loop. Using the standard instructions of just making the compose, running it, and attempting the initial flow at /if/flow/initial-setup/ on either https or http on either firefox or chrome. This is a showstopper bug which really puts me off to adopting this in my enterprise if there's a gamebreaking issue with the most vanilla setup in my homelab (that's been open since january it looks like?), as a dev / devops engineer I know resources are limited and there's always something more pressing in the backlog but i literally can't sell my org on adopting this if the default docker-compose instructions simply don't work to demo it! |
|
So if you are behind a reverse proxy much like I run portainer in my setup, so i had to setup these env variables (as listed above so thanks @codeagencybe ) AUTHENTIK_LISTEN__HTTP=authentik-server:8000
AUTHENTIK_LISTEN__HTTPS=authentik-server:8443If you are setting an explicit Here's my authentik-server config authentik-server:
image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-latest}
container_name: authentik-server
restart: unless-stopped
command: server
environment:
AUTHENTIK_REDIS__HOST: redis
AUTHENTIK_POSTGRESQL__HOST: postgresql
AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
AUTHENTIK_HOST_BROWSER: https://authentik.${PROJECT_HOSTNAME}
volumes:
- ${DEFAULT_CONTAINER_DATA_LOCATION}/Authentik/media:/media
- ${DEFAULT_CONTAINER_DATA_LOCATION}/Authentik/custom-templates:/templates
networks:
- zauthentik # i had to do zauthentik because i had network priority issues so this makes it last for my auth backend
- homelab
env_file:
- ../.env
ports:
- 8000:8000
labels:
- "traefik.enable=true"
- "traefik.http.routers.authentik-server.rule=Host(`authentik.${PROJECT_HOSTNAME}`)"
- "traefik.http.routers.authentik-server.entrypoints=https" # or i have seen a lot of people call this websecure
- "traefik.http.routers.authentik-server.tls=true"
- "traefik.http.routers.authentik-server.tls.certresolver=${TRAEFIK_TLS_CERTRESOLVER}"
- "traefik.http.routers.authentik-server.service=authentik-svc"
- "traefik.http.services.authentik-svc.loadBalancer.server.port=8000"
depends_on:
- postgresql
- redis
- traefik
profiles:
- all
- authentik
- traefikand then here's my dynamic configuration: http:
middlewares:
# https://github.com/goauthentik/authentik/issues/2366
middlewares-authentik:
forwardAuth:
address: http://authentik-server:8000/outpost.goauthentik.io/auth/traefik # authentik-server matches the name of the container or service i think
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-versionDoing all that finally allowed me to get in. Ultimately i think the COOKIE_DOMAIN thing is what did it for me. I figured it out because i could get in fine from When i originally checked my request headers, i saw that the domain the access token was setting was 
|
this doesn't seem to work (anymore?). I get the URL generated correctly, visit it, and it looks like it loads the app for a split second before the frontend realizes the user isn't authed / created properly / some other error, and it kicks me back out to this page
the URL then changes to /if/flow/default-authentication-flow/?next=%2Fif%2Fuser%2F to re-iterate, this is on a fresh install where i can't get completing visiting the URL if/flows/initial-setup to work. I've tried after i lock myself out by entering any info or even wrong info if/flows/initial-setup or before i even visit if/flows/initial-setup, the behavior is the same. |
|
If you're in docker, make sure you don't have any residual volumes or DB data and try incognito mode too. Authentik has some stuff that may be cached. |
|
Yeah i'm just straight up deleting the docker volume everytime that has the DB and watching it rerun all the migrations etc. Wasn't trying with incognito before, forgot they'd store cookies, but am trying it now to no avail just the same. Thanks for the help. of note, i'm not running any reverse proxy in front of it, and i do see people talking about setting these in their comments above (i've changed the values to match my compose) but when i add these in, my app is actually just not reachable at all. using this compose that i grabbed from the official instructions, the main thing i changed was just the ports basically. weird that when i add those two variables to my env file, i'm not able to connect to the app's frontend at all, so i've just removed those and i don't specify a compose value either. the app seems to boot successfully from the logs |
|
Maybe give this .env a look. Compare it to yours maybe. That's what I use. |
|
Also possibly give their docs a look. https://homemediadocker.github.io/Home-Media-Docker/docs/authentik-sso |
|
Note that this container uses an internal network called homelab and zauthentik. This is because the networks for docker get appended in alphabetical order based on priority by default (pretty sure). I noticed yours didn't have a network defined so it should just use the |
|
Also this one has the ports commented out too for Authentik - this is because it is behind a reverse proxy. |
Try using the ports it listens to internally, 9000 & 9443. Had same issue then I realized the variables apple internally not external to docker where there's a port forward. |
|
I'm having the same issue... i can get in via recovery link but no one else can log in. I made no changes (that I know of) and am running the latest version 2024..4.2 .. I woke up the next day and couldn't log in. Bashing my head trying things... i'm using nginx proxy manger in front of authentik. Everything was just fine and boom... this happened. and this is in my .env file COMPOSE_PORT_HTTP=8080 Authentik Version to PullATHENTIK_TAG=2024.4.2 Resolved my issue... so stupid.. but I still don't know how it happened.. |
|
This worked for me: |
that seems to have been the issue for me, i had a "+" in my secretkey for authentik and it caused all this mayhem. Removing all special characters and i can happy path install it from scratch per the documentation! |
Thank you this was the whole problem for me. Default installation instructions allow for illegal characters in the key. Removing '+' and redeploying fixed it. |
|
Here's a revised line for the Installation instructions: |
Just ran into this on a fresh install, the docs really need to be updated! https://docs.goauthentik.io/docs/installation/docker-compose |
|
Still an issue for me, even after updating the secret key and redeploying... |
|
As a workaround you can use https://docs.goauthentik.io/docs/installation/automated-install to set |
Thanks so much, fixed my issue. according to logs 2024.6.1 appears not to have run the django migration properly, since when 2024.4.2 spun up the worker immediately had to apply a bunch of migrations. |
|
Getting the same problem following official installation guide on Docker Compose. Can't even do the first login. This is a real showstopper for me. |
and others
Describe your question/
Simply set up Authentik in portainer with a stack.
Relevant infos
Debian 12, Portainer BE 2.19.4, Docker-ce 5:24.0.7, Docker Compose 2.21.0, Authentik 2023.10.6
Screenshots
Logs
Version and Deployment (please complete the following information):
Additional context
After seemingly sucessfully starting Authentik up, I go to if/flows/initial-setup, I enter in my email and password that I want to use, and every single time, I get this message showing up. What am I doing wrong??? What does it mean flow isn't applicable to current user? There are no users! I'm attempting to create the first one!!
The text was updated successfully, but these errors were encountered: